Google Services Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/google-services/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 06 Dec 2021 08:07:19 +0000 en-US hourly 1 https://wordpress.org/?v=96771 200474804 Cybercriminals started using Google services more often in phishing campaigns https://gridinsoft.com/blogs/cybercriminals-started-using-google-services-more-often-in-phishing-campaigns/ https://gridinsoft.com/blogs/cybercriminals-started-using-google-services-more-often-in-phishing-campaigns/#respond Sat, 21 Nov 2020 11:36:18 +0000 https://blog.gridinsoft.com/?p=4723 Security researchers have reported an increase in cyberattacks using Google services in phishing campaigns, as a tool to bypass security and steal credentials, credit cards, and other personal information. The Armorblox team analysed five phishing campaigns, which they call the “the top of the deep iceberg”. The attacks exploit features of several Google services, including… Continue reading Cybercriminals started using Google services more often in phishing campaigns

The post Cybercriminals started using Google services more often in phishing campaigns appeared first on Gridinsoft Blog.

]]>
Security researchers have reported an increase in cyberattacks using Google services in phishing campaigns, as a tool to bypass security and steal credentials, credit cards, and other personal information.

The Armorblox team analysed five phishing campaigns, which they call the “the top of the deep iceberg”. The attacks exploit features of several Google services, including Google Forms, Google Docs, Google Site and Firebase and Google’s mobile application development platform.

Google offers all of these services to make it much easier to build applications. This actually encourages attackers to switch to Google instead of developing the site on their own … in a sense, it also adds credibility to phishing sites hosted by Google. the experts said.

For example, one of the phishing emails was sent ostensibly on behalf of American Express employees, informed recipients that they did not provide information when verifying their card. The link in the letter redirects the user to a page where he can enter his data. The page is hosted on Google Forms, branding American Express and prompting the victim for credentials, credit card details, and even the mother’s maiden name (a common security question).

In another attack, criminals impersonated an enterprise security team by sending an email informing the victim that they did not receive a “critical” message due to a storage quota problem. The email contains a link where they can allegedly verify their details and restart email delivery. The url redirects to a fake login page hosted on Firebase, where the victim sees their email address pre-filled above the password prompt.

Mimicking the ‘quick fill’ methods used on forms on legitimate websites is commonly used by cybercriminals to create a false sense of security for victims.say Armorblox specialists.

The URL goes through one redirect before reaching the Firebase page, hiding the attack from any security technology that might try to track it down.

Let me remind you that I also talked about the fact that Google cloud services are used for phishing.

The post Cybercriminals started using Google services more often in phishing campaigns appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cybercriminals-started-using-google-services-more-often-in-phishing-campaigns/feed/ 0 4723
Google cloud services are used for phishing https://gridinsoft.com/blogs/google-cloud-services-are-used-for-phishing/ https://gridinsoft.com/blogs/google-cloud-services-are-used-for-phishing/#respond Wed, 22 Jul 2020 16:30:07 +0000 https://blog.gridinsoft.com/?p=4087 Attackers, whose main goal is to steal various credentials, are increasingly turning to public cloud services to host decoy files and phishing pages. Even Google services are now being used for phishing. Check Point experts warn that earlier this year they discovered a campaign, which was abusing Google cloud services. The scammers have developed an… Continue reading Google cloud services are used for phishing

The post Google cloud services are used for phishing appeared first on Gridinsoft Blog.

]]>
Attackers, whose main goal is to steal various credentials, are increasingly turning to public cloud services to host decoy files and phishing pages. Even Google services are now being used for phishing.

Check Point experts warn that earlier this year they discovered a campaign, which was abusing Google cloud services. The scammers have developed an interesting scheme that includes several legitimate elements to hide the theft of credentials. This tactic makes it much more difficult to detect attacks.

The attack begins with the attackers uploading a malicious PDF document to Google Drive. This document contains a link to a phishing page (allegedly, the content is available only through SharePoint and therefore you need to follow the link).

Google services used for phishing
PDF-decoy

The phishing page itself was hosted at storage.googleapis[.]сom/asharepoint-unwearied-439052791/index.html. There, the user was prompted to sign in with Office 365 or corporate email. When the victim selected one of the login options, an Outlook login pop-up appeared.

Interestingly, after entering the credentials, the user actually received a PDF report from a reputable international company. The researchers write that the victims are unlikely to notice such fraud, because the pages are loaded from supposedly legitimate sources and do not arouse suspicion.

Google services used for phishing
A legitimate report loaded at the last stage of an attack

Only a look at the source code of the phishing page shows that most of the resources are downloaded from the cybercriminals’ site prvtsmtp[.]сom.

“It turned out that the attackers are using the Google Cloud Functions service, which allows them to run code in the cloud, and the resources on the phishing page are loaded from Google Cloud Functions without exposing the attackers’ own malicious domains”, — Check Point experts write.

Research has shown that prvtsmtp[.]сom and many other domains associated with this phishing attack resolve to the same IP address (Ukrainian 31.28.168[.]4) and other addresses in this block.

This allowed experts to trace the activity of these attackers back to 2018, when they acted in a similar way: first, they placed phishing pages directly on a malicious site, and then switched to Azure.

“Hackers are attracted to cloud storage services that we often use and trust, making it much more difficult to detect phishing attacks. Traditional “red flags” of phishing attacks, such as similar domains or websites without certificates, will not help us much anymore”, — said Lotem Finkelsteen, a leading threat analyst at Check Point.

Check Point recommends that users of the Google cloud platform, even AWS and Azure users, should be very careful about this trend.

Let me also remind you that GitLab checked its employees: on phishing got every fifth.

Practical steps we can all take to stay protected against these opportunistic attacks are:

  • Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
  • Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
  • Ensure you are ordering goods from an authentic source. One way to do this is NOT to click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
  • Beware of “special” offers. “An exclusive cure for coronavirus for $150” is usually not a reliable or trustworthy purchase opportunity.

Make sure you do not reuse passwords between different app.

The post Google cloud services are used for phishing appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/google-cloud-services-are-used-for-phishing/feed/ 0 4087